Ambient: Document that PeerAuthentication mTLS.Mode = DISABLE is a no-op in ambient #14789
Assignees
Labels
area/ambient
area/networking
area/security
area/user experience
good first issue
Indicates a good first issue for new contributors
Comments
bleggett
added
area/security
area/networking
area/user experience
area/ambient
good first issue
11 tasks
|
See also istio/api#3184 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In sidecar, it used to be possible to globally disable mTLS for all workloads at the cluster or namespace level with PeerAuthentication.
In ambient, you can still create a PeerAuthentication policy at the mesh or namespace level that uses DISABLE, but it will be ignored. This is by design, as we do not support DISABLE in ambient - it is effectively an alias for PERMISSIVE.
If you want to drop mTLS for an entire namespace, unlabel the namespace for ambient capture instead, e.g.
kubectl label namespace default istio.io/dataplane-mode-We need to document this behavior, however.
The text was updated successfully, but these errors were encountered: